authlogic 3.8.0 → 4.5.0

data/lib/authlogic/session/password.rb

@@ -6,7 +6,7 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :validate_by_password, :if => :authenticating_with_password?
+          validate :validate_by_password, if: :authenticating_with_password?
 
           class << self
             attr_accessor :configured_password_methods
@@ -119,7 +119,7 @@ module Authlogic
         # should be an instance method. It should also be prepared to accept a
         # raw password and a crytped password.
         #
-        # * <tt>Default:</tt> "valid_password?"
+        # * <tt>Default:</tt> "valid_password?" defined in acts_as_authentic/password.rb
         # * <tt>Accepts:</tt> Symbol or String
         def verify_password_method(value = nil)
           rw_config(:verify_password_method, value, "valid_password?")
@@ -127,45 +127,14 @@ module Authlogic
         alias_method :verify_password_method=, :verify_password_method
       end
 
-      # Password-related instance methods
+      # Password related instance methods
       module InstanceMethods
-        E_AC_PARAMETERS = <<-STR.strip_heredoc.freeze
-          You have passed an ActionController::Parameters to Authlogic 3. That's
-          OK for now, but in Authlogic 4, it will raise an error. Please
-          replace:
-
-              UserSession.new(user_session_params)
-              UserSession.create(user_session_params)
-
-          with
-
-              UserSession.new(user_session_params.to_h)
-              UserSession.create(user_session_params.to_h)
-
-          And don't forget to `permit`!
-
-          During the transition of rails to Strong Parameters, it has been
-          common for Authlogic users to forget to `permit` their params. They
-          would pass their params into Authlogic, we'd call `to_h`, and they'd
-          be surprised when authentication failed.
-
-          In 2018, people are still making this mistake. We'd like to help them
-          and make authlogic a little simpler at the same time, so in Authlogic
-          3.7.0, we deprecated the use of ActionController::Parameters.
-
-          We discussed this issue thoroughly between late 2016 and early
-          2018. Notable discussions include:
-
-          - https://github.com/binarylogic/authlogic/issues/512
-          - https://github.com/binarylogic/authlogic/pull/558
-          - https://github.com/binarylogic/authlogic/pull/577
-        STR
-
         def initialize(*args)
-          if !self.class.configured_password_methods
+          unless self.class.configured_password_methods
             configure_password_methods
             self.class.configured_password_methods = true
           end
+          instance_variable_set("@#{password_field}", nil)
           super
         end
 
@@ -184,14 +153,23 @@ module Authlogic
 
         # Accepts the login_field / password_field credentials combination in
         # hash form.
+        #
+        # You must pass an actual Hash, `ActionController::Parameters` is
+        # specifically not allowed.
+        #
+        # See `Authlogic::Session::Foundation#credentials=` for an overview of
+        # all method signatures.
         def credentials=(value)
           super
-          values = parse_param_val(value) # add strong parameters check
-
+          values = Array.wrap(value)
           if values.first.is_a?(Hash)
-            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
-              next if value.blank?
-              send("#{field}=", value)
+            sliced = values
+              .first
+              .with_indifferent_access
+              .slice(login_field, password_field)
+            sliced.each do |field, val|
+              next if val.blank?
+              send("#{field}=", val)
             end
           end
         end
@@ -202,106 +180,138 @@ module Authlogic
 
         private
 
-          def configure_password_methods
-            if login_field
-              self.class.send(:attr_writer, login_field) if !respond_to?("#{login_field}=")
-              self.class.send(:attr_reader, login_field) if !respond_to?(login_field)
-            end
-
-            if password_field
-              self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
-              self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
-
-              # The password should not be accessible publicly. This way forms
-              # using form_for don't fill the password with the attempted
-              # password. To prevent this we just create this method that is
-              # private.
-              self.class.class_eval <<-"end_eval", __FILE__, __LINE__
-                private
-                  def protected_#{password_field}
-                    @#{password_field}
-                  end
-              end_eval
-            end
+        def add_invalid_password_error
+          if generalize_credentials_error_messages?
+            add_general_credentials_error
+          else
+            errors.add(
+              password_field,
+              I18n.t("error_messages.password_invalid", default: "is not valid")
+            )
           end
+        end
 
-          def authenticating_with_password?
-            login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+        def add_login_not_found_error
+          if generalize_credentials_error_messages?
+            add_general_credentials_error
+          else
+            errors.add(
+              login_field,
+              I18n.t("error_messages.login_not_found", default: "is not valid")
+            )
           end
+        end
 
-          def validate_by_password
-            self.invalid_password = false
+        def authenticating_with_password?
+          login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+        end
 
-            # check for blank fields
-            if send(login_field).blank?
-              errors.add(login_field, I18n.t('error_messages.login_blank', :default => "cannot be blank"))
-            end
-            if send("protected_#{password_field}").blank?
-              errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank"))
-            end
-            return if errors.count > 0
+        def configure_password_methods
+          define_login_field_methods
+          define_password_field_methods
+        end
 
-            self.attempted_record = search_for_record(find_by_login_method, send(login_field))
-            if attempted_record.blank?
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid"))
-              return
-            end
+        def define_login_field_methods
+          return unless login_field
+          self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
+          self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
+        end
 
-            # check for invalid password
-            if !attempted_record.send(verify_password_method, send("protected_#{password_field}"))
-              self.invalid_password = true
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid"))
-              return
-            end
-          end
+        def define_password_field_methods
+          return unless password_field
+          self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
+          self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+
+          # The password should not be accessible publicly. This way forms
+          # using form_for don't fill the password with the attempted
+          # password. To prevent this we just create this method that is
+          # private.
+          self.class.class_eval(
+            <<-EOS, __FILE__, __LINE__ + 1
+              private
+                def protected_#{password_field}
+                  @#{password_field}
+                end
+            EOS
+          )
+        end
 
-          attr_accessor :invalid_password
+        # In keeping with the metaphor of ActiveRecord, verification of the
+        # password is referred to as a "validation".
+        def validate_by_password
+          self.invalid_password = false
+          validate_by_password__blank_fields
+          return if errors.count > 0
+          self.attempted_record = search_for_record(find_by_login_method, send(login_field))
+          if attempted_record.blank?
+            add_login_not_found_error
+            return
+          end
+          validate_by_password__invalid_password
+        end
 
-          def find_by_login_method
-            self.class.find_by_login_method
+        def validate_by_password__blank_fields
+          if send(login_field).blank?
+            errors.add(
+              login_field,
+              I18n.t("error_messages.login_blank", default: "cannot be blank")
+            )
+          end
+          if send("protected_#{password_field}").blank?
+            errors.add(
+              password_field,
+              I18n.t("error_messages.password_blank", default: "cannot be blank")
+            )
           end
+        end
 
-          def login_field
-            self.class.login_field
+        # Verify the password, usually using `valid_password?` in
+        # `acts_as_authentic/password.rb`. If it cannot be verified, we
+        # refer to it as "invalid".
+        def validate_by_password__invalid_password
+          unless attempted_record.send(
+            verify_password_method,
+            send("protected_#{password_field}")
+          )
+            self.invalid_password = true
+            add_invalid_password_error
           end
+        end
+
+        attr_accessor :invalid_password
+
+        def find_by_login_method
+          self.class.find_by_login_method
+        end
+
+        def login_field
+          self.class.login_field
+        end
 
-          def add_general_credentials_error
-            error_message =
+        def add_general_credentials_error
+          error_message =
             if self.class.generalize_credentials_error_messages.is_a? String
               self.class.generalize_credentials_error_messages
             else
               "#{login_field.to_s.humanize}/Password combination is not valid"
             end
-            errors.add(:base, I18n.t('error_messages.general_credentials_error', :default => error_message))
-          end
-
-          def generalize_credentials_error_messages?
-            self.class.generalize_credentials_error_messages
-          end
+          errors.add(
+            :base,
+            I18n.t("error_messages.general_credentials_error", default: error_message)
+          )
+        end
 
-          def password_field
-            self.class.password_field
-          end
+        def generalize_credentials_error_messages?
+          self.class.generalize_credentials_error_messages
+        end
 
-          def verify_password_method
-            self.class.verify_password_method
-          end
+        def password_field
+          self.class.password_field
+        end
 
-          # In Rails 5 the ActionController::Parameters no longer inherits from HashWithIndifferentAccess.
-          # See: http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#actioncontroller-parameters-no-longer-inherits-from-hashwithindifferentaccess
-          # This method converts the ActionController::Parameters to a Hash
-          def parse_param_val(value)
-            if value.first.class.name == "ActionController::Parameters"
-              ActiveSupport::Deprecation.warn(E_AC_PARAMETERS)
-              [value.first.to_h]
-            else
-              value.is_a?(Array) ? value : [value]
-            end
-          end
+        def verify_password_method
+          self.class.verify_password_method
+        end
       end
     end
   end

data/lib/authlogic/session/perishable_token.rb

@@ -13,11 +13,12 @@ module Authlogic
 
       private
 
-        def reset_perishable_token!
-          if record.respond_to?(:reset_perishable_token) && !record.disable_perishable_token_maintenance?
-            record.reset_perishable_token
-          end
+      def reset_perishable_token!
+        if record.respond_to?(:reset_perishable_token) &&
+            !record.disable_perishable_token_maintenance?
+          record.reset_perishable_token
         end
+      end
     end
   end
 end

data/lib/authlogic/session/persistence.rb

@@ -10,9 +10,10 @@ module Authlogic
       end
 
       module ClassMethods
-        # This is how you persist a session. This finds the record for the current session using
-        # a variety of methods. It basically tries to "log in" the user without the user having
-        # to explicitly log in. Check out the other Authlogic::Session modules for more information.
+        # This is how you persist a session. This finds the record for the
+        # current session using a variety of methods. It basically tries to "log
+        # in" the user without the user having to explicitly log in. Check out
+        # the other Authlogic::Session modules for more information.
         #
         # The best way to use this method is something like:
         #
@@ -28,30 +29,35 @@ module Authlogic
         #     @current_user = current_user_session && current_user_session.user
         #   end
         #
-        # Also, this method accepts a single parameter as the id, to find session that you marked with an id:
+        # Also, this method accepts a single parameter as the id, to find
+        # session that you marked with an id:
         #
         #   UserSession.find(:secure)
         #
         # See the id method for more information on ids.
         def find(id = nil, priority_record = nil)
-          session = new({ :priority_record => priority_record }, id)
+          session = new({ priority_record: priority_record }, id)
           session.priority_record = priority_record
           if session.persisting?
             session
-          else
-            nil
           end
         end
       end
 
       module InstanceMethods
-        # Let's you know if the session is being persisted or not, meaning the user does not have to explicitly log in
-        # in order to be logged in. If the session has no associated record, it will try to find a record and persist
-        # the session. This is the method that the class level method find uses to ultimately persist the session.
+        # Returns boolean indicating if the session is being persisted or not,
+        # meaning the user does not have to explicitly log in in order to be
+        # logged in.
+        #
+        # If the session has no associated record, it will try to find a record
+        # and persist the session.
+        #
+        # This is the method that the class level method find uses to ultimately
+        # persist the session.
         def persisting?
-          return true if !record.nil?
+          return true unless record.nil?
           self.attempted_record = nil
-          self.remember_me = !cookie_credentials.nil? && !cookie_credentials[2].nil?
+          self.remember_me = cookie_credentials_remember_me?
           before_persisting
           persist
           ensure_authentication_attempted

data/lib/authlogic/session/priority_record.rb

@@ -1,8 +1,10 @@
 module Authlogic
   module Session
-    # The point of this module is to avoid the StaleObjectError raised when lock_version is implemented in ActiveRecord.
-    # We accomplish this by using a "priority record". Meaning this record is used if possible, it gets priority.
-    # This way we don't save a record behind the scenes thus making an object being used stale.
+    # The point of this module is to avoid the StaleObjectError raised when
+    # lock_version is implemented in ActiveRecord. We accomplish this by using a
+    # "priority record". Meaning this record is used if possible, it gets
+    # priority. This way we don't save a record behind the scenes thus making an
+    # object being used stale.
     module PriorityRecord
       def self.included(klass)
         klass.class_eval do
@@ -10,7 +12,8 @@ module Authlogic
         end
       end
 
-      # Setting priority record if it is passed. The only way it can be passed is through an array:
+      # Setting priority record if it is passed. The only way it can be passed
+      # is through an array:
       #
       #   session.credentials = [real_user_object, priority_user_object]
       def credentials=(value)
@@ -21,15 +24,15 @@ module Authlogic
 
       private
 
-        def attempted_record=(value)
-          value = priority_record if value == priority_record
-          super
-        end
+      def attempted_record=(value)
+        value = priority_record if value == priority_record
+        super
+      end
 
-        def save_record(alternate_record = nil)
-          r = alternate_record || record
-          super if r != priority_record
-        end
+      def save_record(alternate_record = nil)
+        r = alternate_record || record
+        super if r != priority_record
+      end
     end
   end
 end

data/lib/authlogic/session/scopes.rb

@@ -1,4 +1,4 @@
-require 'request_store'
+require "request_store"
 
 module Authlogic
   module Session
@@ -25,10 +25,10 @@ module Authlogic
           RequestStore.store[:authlogic_scope]
         end
 
-        # What with_scopes focuses on is scoping the query when finding the object and the
-        # name of the cookie / session. It works very similar to
-        # ActiveRecord::Base#with_scopes. It accepts a hash with any of the following
-        # options:
+        # What with_scopes focuses on is scoping the query when finding the
+        # object and the name of the cookie / session. It works very similar to
+        # ActiveRecord::Base#with_scopes. It accepts a hash with any of the
+        # following options:
         #
         # * <tt>find_options:</tt> any options you can pass into ActiveRecord::Base.find.
         #   This is used when trying to find the record.
@@ -37,21 +37,27 @@ module Authlogic
         #
         # Here is how you use it:
         #
-        #   UserSession.with_scope(:find_options => {:conditions => "account_id = 2"}, :id => "account_2") do
-        #     UserSession.find
-        #   end
+        # ```
+        # UserSession.with_scope(find_options: {conditions: "account_id = 2"}, id: "account_2") do
+        #   UserSession.find
+        # end
+        # ```
         #
-        # Essentially what the above does is scope the searching of the object with the
-        # sql you provided. So instead of:
+        # Essentially what the above does is scope the searching of the object
+        # with the sql you provided. So instead of:
         #
-        #   User.where("login = 'ben'").first
+        # ```
+        # User.where("login = 'ben'").first
+        # ```
         #
         # it would be:
         #
-        #   User.where("login = 'ben' and account_id = 2").first
+        # ```
+        # User.where("login = 'ben' and account_id = 2").first
+        # ```
         #
-        # You will also notice the :id option. This works just like the id method. It
-        # scopes your cookies. So the name of your cookie will be:
+        # You will also notice the :id option. This works just like the id
+        # method. It scopes your cookies. So the name of your cookie will be:
         #
         #   account_2_user_credentials
         #
@@ -59,9 +65,13 @@ module Authlogic
         #
         #   user_credentials
         #
-        # What is also nifty about scoping with an :id is that it merges your id's. So if you do:
+        # What is also nifty about scoping with an :id is that it merges your
+        # id's. So if you do:
         #
-        #   UserSession.with_scope(:find_options => {:conditions => "account_id = 2"}, :id => "account_2") do
+        #   UserSession.with_scope(
+        #     find_options: { conditions: "account_id = 2"},
+        #     id: "account_2"
+        #   ) do
         #     session = UserSession.new
         #     session.id = :secure
         #   end
@@ -69,7 +79,7 @@ module Authlogic
         # The name of your cookies will be:
         #
         #   secure_account_2_user_credentials
-        def with_scope(options = {}, &block)
+        def with_scope(options = {})
           raise ArgumentError.new("You must provide a block") unless block_given?
           self.scope = options
           result = yield
@@ -79,9 +89,9 @@ module Authlogic
 
         private
 
-          def scope=(value)
-            RequestStore.store[:authlogic_scope] = value
-          end
+        def scope=(value)
+          RequestStore.store[:authlogic_scope] = value
+        end
       end
 
       module InstanceMethods
@@ -98,21 +108,30 @@ module Authlogic
 
         private
 
-          # Used for things like cookie_key, session_key, etc.
-          def build_key(last_part)
-            [scope[:id], super].compact.join("_")
+        # Used for things like cookie_key, session_key, etc.
+        def build_key(last_part)
+          [scope[:id], super].compact.join("_")
+        end
+
+        # `args[0]` is the name of an AR method, like
+        # `find_by_single_access_token`.
+        def search_for_record(*args)
+          search_scope.scoping do
+            klass.send(*args)
           end
+        end
 
-          def search_for_record(*args)
-            session_scope = if scope[:find_options].is_a?(ActiveRecord::Relation)
-              scope[:find_options]
-            else
-              klass.send(:where, scope[:find_options] && scope[:find_options][:conditions] || {})
-            end
-            session_scope.scoping do
-              klass.send(*args)
-            end
+        # Returns an AR relation representing the scope of the search. The
+        # relation is either provided directly by, or defined by
+        # `find_options`.
+        def search_scope
+          if scope[:find_options].is_a?(ActiveRecord::Relation)
+            scope[:find_options]
+          else
+            conditions = scope[:find_options] && scope[:find_options][:conditions] || {}
+            klass.send(:where, conditions)
           end
+        end
       end
     end
   end

data/lib/authlogic/session/session.rb

@@ -1,6 +1,7 @@
 module Authlogic
   module Session
-    # Handles all parts of authentication that deal with sessions. Such as persisting a session and saving / destroy a session.
+    # Handles all parts of authentication that deal with sessions. Such as persisting a
+    # session and saving / destroy a session.
     module Session
       def self.included(klass)
         klass.class_eval do
@@ -9,7 +10,7 @@ module Authlogic
           persist :persist_by_session
           after_save :update_session
           after_destroy :update_session
-          after_persisting :update_session, :unless => :single_access?
+          after_persisting :update_session, unless: :single_access?
         end
       end
 
@@ -29,38 +30,47 @@ module Authlogic
       module InstanceMethods
         private
 
-          # Tries to validate the session from information in the session
-          def persist_by_session
-            persistence_token, record_id = session_credentials
-            if !persistence_token.nil?
-              # Allow finding by persistence token, because when records are created the
-              # session is maintained in a before_save, when there is no id. This is done
-              # for performance reasons and to save on queries.
-              record = record_id.nil? ?
-                search_for_record("find_by_persistence_token", persistence_token.to_s) :
-                search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
-              self.unauthorized_record = record if record && record.persistence_token == persistence_token
-              valid?
-            else
-              false
+        # Tries to validate the session from information in the session
+        def persist_by_session
+          persistence_token, record_id = session_credentials
+          if !persistence_token.nil?
+            record = persist_by_session_search(persistence_token, record_id)
+            if record && record.persistence_token == persistence_token
+              self.unauthorized_record = record
             end
+            valid?
+          else
+            false
           end
+        end
 
-          def session_credentials
-            [
-              controller.session[session_key],
-              controller.session["#{session_key}_#{klass.primary_key}"]
-            ].collect { |i| i.nil? ? i : i.to_s }.compact
+        # Allow finding by persistence token, because when records are created
+        # the session is maintained in a before_save, when there is no id.
+        # This is done for performance reasons and to save on queries.
+        def persist_by_session_search(persistence_token, record_id)
+          if record_id.nil?
+            search_for_record("find_by_persistence_token", persistence_token.to_s)
+          else
+            search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
           end
+        end
 
-          def session_key
-            build_key(self.class.session_key)
-          end
+        def session_credentials
+          [
+            controller.session[session_key],
+            controller.session["#{session_key}_#{klass.primary_key}"]
+          ].collect { |i| i.nil? ? i : i.to_s }.compact
+        end
 
-          def update_session
-            controller.session[session_key] = record && record.persistence_token
-            controller.session["#{session_key}_#{klass.primary_key}"] = record && record.send(record.class.primary_key)
-          end
+        def session_key
+          build_key(self.class.session_key)
+        end
+
+        def update_session
+          controller.session[session_key] = record && record.persistence_token
+          compound_key = "#{session_key}_#{klass.primary_key}"
+          controller.session[compound_key] = record && record.send(record.class.primary_key)
+        end
       end
     end
   end